InfoSec Handlers Diary Blog

Cyberspace was so busy churning out facts yesterday that our Handler on Duty, Donald Smith furiously posted diary entries to keep you informed. So, I thought I would take a moment to summarize the events of April 22 and further elaborate on the situation.

First, spam plagues us every day so it is important for us to stay up on the current threat vector. Don wrote about the latest attempt to exploit users called “Apocalyptic NEWS Usama Ben Laden.” The email attempts to lure users to download a version of Zlob. The links in the blog site are malicious.

Don talked about another spam phenomenon involving Google agenda. This is considered a new method of delivery.

Social network site MySpace was exploited again in an attempt to lure the user to download by clicking on a “fake” Microsoft update popup. The pop up is actually a large css layer which initiates a download session.

Then, Don told us about a situation in which a malicious .rar file (promising Paris Hilton undressing), which cleverly bypassed email gateway security but was ultimately found by an AV program. The program seems to be SDBOT.

So there you have it, new spam, Google agenda, social networking css and a bot. Another day in the life… But, all that was all so yesterday, today we have several situations arousing attention from our readers.

First off today, Heather wrote in to tell us about US Cert releasing an advisory yesterday afternoon concerning a malicious website injecting javascript which infected many UK and a UN site. Websense alerted about it here. They analyzed the malware and concluded that it is related to our story by Bojan. We recommended mitigations for the situation here.

Then, Andrew from Vancouver wrote in to tell us about his experience with a Wordpress Blog infection that let spammers insert hidden text into the Wordpress (several versions) powered sites. While not widespread, the technique is interesting and should allow us the opportunity to discuss these methods of attack. Further information is revealed on a Tech Side Up blog.

Another reader sent in an old “download this” scam which has seemed to have migrated itself to a Skype chat. The following information is used to get the user to click on the included link which downloads the Downloader Trojan. Your AV should catch the download of this old nasty, but the new delivery vector should be added to the warnings to users through your security awareness programs.